The Web Security Mailing List

"First the good news: Despite the global
recession, two-thirds of organizations either have no plans to cut Web
application security spending, or they expect their spending to
increase this year. Now the bad news: Spending for security
applications is less than 10 percent of the overall security budget in
36 percent of organizations, few of which have developers dedicated to
security, according to a new Open Web Application Security Project (OWASP) report (PDF).

Around 67 percent of the survey's respondents -- security professionals
and executives from 51 companies -- have a dedicated IT security
budget, while 89 percent of companies with 1,000 or more employees have
a dedicated security spending pot. Not surprisingly, companies that had
been hit with a data breach in the past two years were most likely (86
percent) to have a dedicated security budget than those that had not
suffered a public breach (52 percent).

More than one-fourth of the companies in the survey say they
will be spending more in Web application security this year than last;
36 percent expect their spending to stay the same.

But most aren't investing a lot in developers with security know-how.
Around 40 percent of the respondents have less than 2 percent of their
developer staff dedicated to security, according to the report."